The Secure Use of
Open Source PHP
Prepared for Dr. EdwardChow
by
Abdullah Almurayh
Index
Abstract / ………………………………..………… / 2
Introduction / ………………………………..………… / 3
PHP / ………………………………..………… / 4
Open Source PHP / ………………………………..………… / 8
Open Source PHP Vulnerabilities / ………………………………..………… / 12
Open Source PHP Protection / ………………………………..………… / 20
Open Source PHP Hacking Demos / ………………………………..………… / 24
Future outlook / ………………………………..………… / 27
Conclusion / ………………………………..………… / 28
References / ………………………………..………… / 29
1. Abstract
PHP is one of the most popular web languages. It is used widely on many web servers. People like to make their personal web site on top of PHP environment using different kind of operating systems including Linux, Unix, Solaris, Open BSD, Microsoft Windows, Mac OS X, RISC OS, and several others. PHP is supported for most of the web servers today, including Apache, Microsoft Internet Information Server, Personal Web Server, Netscape and iPlanet servers, Oreilly Website Pro server, Caudium, Xitami, OmniHTTPd, and many others. Therefore, people have the freedom of choosing an operating system and a web server. It is considered an easy language to learn and develop. There are many readily distributed programs which use PHP code around the world. Many trusted web sites have their pages programmed via PHP codes. The interesting thing is that PHP is simple for a newcomer, however, there are many advanced concepts that may be difficult to learn. Many open sources can be so advanced that they are programmed by professional programmers. These programs are usually more secure than the programs that may be published by beginning or intermediate learners. However, there have been numerous vulnerabilities in PHP codes that make it easy for hackers or crackers to gain full access of a website. Consequently, to continue their journey to the root of the server, simple code can be the most likely target for the hackers and crackers to go through to exploit the vulnerabilities that may be found.
2. Introduction
Open source PHP programs can be easily acquired for either a nominal priced or free of cost. Fortunately a PHP program can be read and how it works understood by many. Many people think that does not matter since the programs are written by professional programmers; therefore, they are secured. In fact, open source codes can be so dangerous that hackers or crackers use open source codes to do their malice attacks. Assuming someone has his own website that he wants to build via PHP open source portal, the question becomes, how can that be dangerous? And how can he protect his website? In my research I am going to show some important open source PHP programs that have the highest level of security since they were done by expert teams. However, they can be easy hacked in many ways, with some important methods shown later. On the other hand, there are various possible solutions that can help website owners protect their websites.
3. PHP
3.1. History:
PHP was created in 1994 by the famous programmer Rasmus Lerdorf. In the beginning, PHP used to be known as “Personal Home Page", today, however, it is known as "PHP: Hypertext Preprocessor". The initial goal of making PHP is to create dynamic web pages that make the web site be more interactive. It became widely-used around the world. PHP is considered now an open-source language. Moreover, PHP is one of “high-level" languages. Therefore, it is easier to learn than other programming languages. According to Wikipedia, article named “PHP”,
“PHP was originally designed for use in Web site development, but rapidly grew to become a much more robust language. PHP's primary use is as an "embedded" scripting language, which means that the actual PHP code is embedded in HTML code. When used in this way, PHP enables your web server to process web pages before they're displayed in the user's web browser.”
3.2. What is PHP?
Figure 1. Web request processing with and without PHP.
PHP stands for hypertext preprocessor (personal home page). It is a server side programming language that is used to create dynamic web pages. It can be embedded into HTML pages. It can create web pages faster than HTML or JavaScript. In addition, it is uses some commands of C or C++. The PHP code is enclosed in special start and end processing instructions “ <? php … ?> “ that allow the programmer to jump into and out of PHP mode.
The big difference between PHP and JavaScript is that PHP code is executed on the server; however, in generating only HTML code, then sending it to the client makes the source code difficult to read in the client side. According to the article, titled “Basics of Php”, addresses that subject. “As its name ("PHP: Hypertext Preprocessor") suggests, PHP derives its power by "preprocessing" hypertext on the server side. This generally means that when the PHP script (saved as a .php file) runs on your web server, it performs the programmed actions, and returns HTML code that will then be sent back to the client’s web browser. The PHP script itself is not included in the HTML that is sent to the browser, so the PHP code is invisible and secure from the user.” That means whenever someone browses to a PHP page, all requests on that page will be sent to its web server that processes the requests. However, the web server will deliver the results in form of HTML to the user. If the user opens the source code of the page, he will find that all code is in HTML form; no functions, variables, or statements appear.
3.3. What can PHP do?
PHP can collect form data, generate dynamic page content, or send and receive cookies. It can perform math operations such as summing, dividing, subtracting, and multiplying. It can execute logical operations such as <, >, =, and, or, not, and the like.
A strong feature for PHP, and a danger at the same time, is that PHP can generate files, and save them in the file system, as a way of printing information out, forming a server-side cache for a client’s dynamic content.
One of the strongest and most significant features in PHP is its support for a wide range of databases. Writing a database-enabled web page is incredibly simple. The following databases are currently supported: MySQL, ODBC, dBase, Unix dbm, SQLite, IBM DB, Oracle, and more.
PHP supports calling or communicating to services via using protocols such as POP3, HTTP, IMAP, SNMP, including other protocols.
PHP can control files by many utility functions such as converting them from types into other types, search engine functions, the IRC Gateway functions, compression functions, calendar conversion functions, translation functions, and others that are similar. It is beyond the scope of this research to list all the benefits that PHP can offer.
3.4. PHP utilities:
PHP programs require some important utilities that programmers need to make and run their programs. Also, users who are willing to run readily available open source programs need to have these important elements.
1. PHP server: the environment or the area that you can execute PHP code on. The server can be:
a. Web server host: can be a website that is setup on a server, which PHP server is installed on.
b. Localhost: software that allows users to run PHP pages on their own computers. The most popular local servers are :
i. Apatche server.
ii. PHP-GTK.
iii. Nanoweb
iv. Orange Server
v. BadBlue
2. PHP Coder: an integrated development environment for PHP programmers use through tight integration of the PHP interpreter and the PHP documentation.
3. Writing desktop applications. PHP is probably not the best language to create a desktop application with a graphical user interface, but if you know PHP very well, and would like to use some advanced PHP features in your client-side applications you can also use PHP-GTK to write such programs.
What is PHP?
PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. If you are new to PHP and want to get some idea of how it works, try the introductory tutorial. After that, check out the online manual, and the example archive sites and some of the other resources available in the links section.
Ever wondered how popular PHP is? see the Netcraft Survey.
4. Open Source PHP:
4.1: Open Source PHP Systems:
There are many open source programs and systems that are used in a lot of websites. We can call the open source PHP code a program or system depending on its size and features. Also, being an advanced programming code qualifies it to be called system. Today, open source PHP systems are distributed widely and famously. We can briefly learn about some of the important systems such as:
4.2: Famous Open Source PHP:
4.2.1: Bulletin Board1. Vbulletin:
A commercial Internet forum software produced by Jelsoft Enterprises and vBulletin Solutions, both are subsidiaries of Internet Brands. It is written in PHP and uses a MySQL database server.
2. MyBB
MyBB is a discussion board that has been around for a while; it has evolved from other bulletin boards into the forum package as it is known today. Therefore, it is a professional and efficient discussion board, developed by an active team of developers. The MyBB history has been recorded and is available for the interested to read. You can also read more about the MyBB team and why they develop MyBB in their spare time. Also, the developers like to highlight the most active and contributing fan-sites of the MyBB community.
3. phpBB:
phpBB is a high powered, fully scalable, and highly customizable open-source bulletin board package. phpBB has a user-friendly interface, simple and. straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites. Features include: Unlimited forums and posts, Multiple language interface, private or public forums, powerful search utility, private messaging system, and templates.
4.2.2: Databases
1. Firebird:
A relational database offering many ANSI SQL standard features that run on Linux, Windows, and a variety of Unix platforms.
2. PostgreSQL:
An advanced PostgreSQL-based search engine that provides online indexing of data and relevance ranking for database searching. Close integration with database allows use of metadata to restrict search results. Operating systems: Windows, Linux/Unix, OS X, Solaris.
4.2.3: Content Managers
1.Joomla:
One of the most powerful Open Source Content Management Systems on the planet. It is used all over the world for everything from simple websites to complex corporate applications. Joomla is easy to install, simple to manage, and reliable.
2.Drupal:
An open source content management platform. Equipped with a powerful blend of features. Drupal supports a variety of websites ranging from personal weblogs to large community-driven websites.
3.Wordpress:
A state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability.
4.Plone:
Content Management System built on top of the open source application server Zope and the accompanying Content Management Framework.
5.XOOPS:
An extensible, OO (Object Oriented), easy to use dynamic web content management system written in PHP. XOOPS is the ideal tool for developing small to large dynamic community websites, intra company portals, corporate portals, weblogs and much more. Read the “All about XOOPS” page for more details.
6. Opencms:
A professional, easy to use website content management system. It is based on Java and XML technology. It can be deployed in an open source environment (e.g. Linux, Apache, Tomcat, MySQL) as well as on commercial components (e.g. Windows NT, IIS, BEA Weblogic, Oracle).
6. PHP-Nuke:
A powerful Open Source portal application. It can be used as a weblog or as a CMS. PhpNuke allows webmasters and editors to easily post new content and comment existing articles. PHPNuke is mostly for game clan and guild sites. It is free software, released under the GNU License.
7. WebGUI:
WebGUI is a web application framework and web content management system that puts the publishing power in the hands of the people who create the content, rather than the IT staff. Join the thousands of businesses, universities, and schools that have found out just how easy web can be.
According to a survey taken to show the most open source PHP usage statistics, many of them may seem familiar to us.
5. Open Source PHP Vurnabilities:
5.1: Open Source PHP threats:
PHP is free in the sense that its source code is open and can be seen by any one. All types of open source PHP code and applications are available on Open Source web sites. Or many big organizations build certain open source PHP programs and publish them online with some license fees. However, many companies do not prefer open source PHP projects to avoid being exploited. To categorize open source PHP programs we can consider some primary kinds of programs depending on which concept a program is based on. These programs are such as Management , Auctions, file manager, Bulletin Boards and Forums, Business & Enterprise, Calendars and Events , Chat , Content Management, Customer Support, Database, E-Commerce, Education, Email, Form , Games, Guest books, Image Galleries, Link Indexing, Polls & Surveys, Search Engines, Server Management, Web Hosting Tools, and the like.